Re: Re: relaying arguments using system call

I prefer this form (it is a little faster, a little shorter and lets you add more args at the cost of a , and the $arg_name).

my( $username, $user ) = @ARGV;
[download]

The multi-arg form of system offers some protection from hacking but remember you are passing $username and $user to the SHELL so it is a good idea to make sure that they only contain non shell chars. Typically you remove everything except your allowed list (it is better to specify what you will allow than try to think of everything bad - you will miss stuff):

$var = ";rm -rf /*;";
my $ILLEGAL_CHARS = qr/[^A-Za-z0-9._-]/;
$var =~ s/$ILLEGAL_CHARS/_/g;
print $var;
[download]

If you were using the single arg form of system and allowed that string (un-sanitized) it would try to execute that command.....

cheers

tachyon

s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print

Comment on Re: Re: relaying arguments using system call Select or Download Code

Replies are listed 'Best First'.
Re: Re: Re: relaying arguments using system call by jonnyfolk (Vicar) on Mar 21, 2003 at 12:35 UTC
Hi tachyon, thanks once again. I wonder if you have time if you could help me unravel what you're doing! If I'm correct you are saying $var minus $ILLEGAL_CHARS equals acceptable $var. However I don't understand the expression `$var = ";rm -rf /*;";` also `qr/[^A-Za-z0-9._-]/;` Am I right in thinking that `qr//;` allows you to assign the regex to the variable, rather than have it act upon the variable? Also it looks as though the $ILLEGAL_CHARS are the one's that I would wish to keep (as per the sense of your explanation) but they are being removed from the variable. I'm sorry if this all seems to be silly or uninformed - I am doing my best to make sense of it and I hope that by not flinching in asking silly questions now I might learn enough to start asking sensible questions in the first place!!	[reply] [d/l] [select]
Re: Re: Re: Re: relaying arguments using system call by benn (Vicar) on Mar 21, 2003 at 14:34 UTC
The expression $var = ";rm -rf /;"; is an example of dangerous input - if this was passed to 'system', the ';' would mark the end of the previous command, and then system would execute the 'rm' command. The qr/[^A-Za-z0-9._-\]/; expression creates a compiled regex - a variable with regex expressions in it that is 'ready to be used' in another regex. Note that the character class [^...] starts with a 'hat'. This reverses the class so that it refers to all characters except* the ones in the class. So actually the expression says "$var minus anything that ISN'T that lot. This is often confusing I know, as the 'hat' is also used as an start-string anchor, but you get used to it :).	[reply]
Re: Re: Re: Re: Re: relaying arguments using system call by tachyon (Chancellor) on Mar 22, 2003 at 08:06 UTC
Nicely explained. cheers tachyon s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print	[reply]